Page **1** of **1**

### Disable Weak Ciphers such as RC4-MD5

Posted: **Fri Feb 22, 2019 8:49 am**

by **ruchshuk**

How can I force the client and softether vpn server to use AES encryption only? When I created the ovpn file using SoftEther VPN Server Manager, I used AES encryption as encryption algorithm and installed it at client side. But I believe server is not accepting it- it is looking for RC4-MD5. How can I fix it?

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Tue May 21, 2019 7:40 am**

by **cedar**

I think SoftEther VPN Server can accept OpenVPN connection with AES encoding.

What error did you see?

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Mon Oct 28, 2019 5:31 pm**

by **the6thbook**

I'm still having this issue. I can't get RC4-MD5 disabled:

https://github.com/SoftEtherVPN/SoftEtherVPN/pull/343

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Sun Nov 03, 2019 12:49 am**

by **ozone**

I have the same issue.

A Mikrotik client connecting to a SE server always reverts to the weak RC4 cipher, although both support much higher ones like various forms of AES256...

But apparently, RC4 is all both nodes can agree upon during the initial handshake.

Until today, found no way of enforcing a higher cipher. Nor got any hint of how to do this on this forum or by someone of SE.

...Still hoping though...

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Sun Feb 28, 2021 5:59 pm**

by **sukupandachu**

Hi.

I have the same issue. I see it happens only when it connects through the VPNAzure relay network. Connecting directly through NAT utilizes the server selected cipher AES256-GCM-SHA384.

I am not sure if this has do to with network speed, that maybe forces Softether to use weaker (and faster) cipher on slow networks (using the VPNAzure relay), or if it has to do with the VPNAzure network itself.

Anyone knows why this behavior?

Anyone may point around the right direction?

Thks.

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Mon Mar 08, 2021 2:25 pm**

by **AlexR**

Hi Cummunity

I also run a server it Softether VPN. In the course of various security tests I noticed that the system allows connections with RC4.

I have counterchecked this with Test SSL Server, and the following list comes out.

Do I have any possibility to deactivate RC4 ?

TLSv1.2:

server selection: uses client preferences

3-- (key: RSA) RSA_WITH_RC4_128_MD5

3-- (key: RSA) RSA_WITH_RC4_128_SHA

3-- (key: RSA) RSA_WITH_3DES_EDE_CBC_SHA

3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA

3f- (key: RSA) DHE_RSA_WITH_AES_128_CBC_SHA

3-- (key: RSA) RSA_WITH_AES_256_CBC_SHA

3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA

3-- (key: RSA) RSA_WITH_AES_128_CBC_SHA256

3f- (key: RSA) DHE_RSA_WITH_AES_256_CBC_SHA256

3-- (key: RSA) RSA_WITH_AES_128_GCM_SHA256

3-- (key: RSA) RSA_WITH_AES_256_GCM_SHA384

Best Regards

Alex

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Mon Mar 08, 2021 3:18 pm**

by **eddiewu**

The cipher list is hardcoded into the source code (Mayaqua/Network.c). You can change and build yourself.

Below is my modification based on Build 9745 for your reference.

Original version:

Code: Select all

```
static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
" DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305";
#endif
;
```

My version (to build with OpenSSL 1.1.x so the second list will be in effect):

Code: Select all

```
#if OPENSSL_VERSION_NUMBER < 0x10100000L
static char *cipher_list = "RC4-MD5 RC4-SHA AES128-SHA AES256-SHA DES-CBC-SHA DES-CBC3-SHA DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA AES128-GCM-SHA256 AES128-SHA256 AES256-GCM-SHA384 AES256-SHA256 DHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-SHA256 DHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-SHA384";
#endif
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256";
#endif
```

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Mon Mar 08, 2021 5:49 pm**

by **AlexR**

Hi and thanks for your Answer !

Since I still have an OpenSSL 1.0.2k-fips on the system, I simply changed the code as follows, so that the old RC4 ciphers are out.

The whole thing could be compiled and started and looks good at first sight.

Speaks from your point of view something against this solution ?

I would not like to update OpenSSL (Centos 7 system).

Regards

Alex

Code: Select all

```
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
" DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305";
#endif
;
```

### Re: Disable Weak Ciphers such as RC4-MD5

Posted: **Tue Mar 09, 2021 2:17 am**

by **eddiewu**

AlexR wrote: ↑Mon Mar 08, 2021 5:49 pm

Code: Select all

```
static char *cipher_list = "ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-RSA-CHACHA20-POLY1305 DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256"
#if OPENSSL_VERSION_NUMBER >= 0x10100000L
" DHE-RSA-CHACHA20-POLY1305 ECDHE-RSA-CHACHA20-POLY1305";
#endif
;
```

OK it makes sense if you would like to stick to 1.0.x. And you can drop the two CHACHA20 ciphers in the first line too as they are not supported in 1.0.x.